A French online shop named “Kook King Shop”, which sells Burger King products focused on kids, was maintaining an unprotected database that includes sensitive information of thousand of customers. According to reports, the unprotected cluster contained all of the exposed information in a plain-text form, so there was no encryption and was left open to all access since at least April 24, 2019, or even further back than that.
The entries contain names, phones, emails and passwords to login to the shop’s portal, dates of birth, voucher codes, and links to any certificates that belong to the customer. As many as 25 administrators also found themselves at the receiving end, with their full names, emails, CRM access details, and encrypted passwords all exposed. The database also contains the e-commerce backend logs with the relevant debug information.
Burger King was quick to respond. In a statement, it said: “Data protection is critical to Burger King and we do take these matters very seriously. All the necessary actions legally required have been taken internally and with our service provider immediately after this incident came to our knowledge to ensure the effective resolution of the problem as well as the safety of our clients’ data. We are also liaising with the relevant national authority having jurisdiction in this respect. We wanted to keep you informed that the issue has been investigated and that such possible vulnerability is now corrected.”
Luckily for Burger King, the data breach was discovered soon enough. If it had remained undiscovered for longer, the company could have had their MongoDB servers infected with malware or ransomware, leading to problem escalation and far greater damage for them.